The UK's Secret Intelligence Service, the CIA and Mossad were among organisations spoofed after a hack on Dutch certificate authority DigiNotar.

Around 531 organisations were targeted by falsely issued SSL certificates, including the UK's Secret Intelligence Service, after a hack on Dutch certificate authority DigiNotar.

The Tor project released a Dutch government-compiled list of bad DigiNotar-related certificates in a blog post on Sunday. A number of falsely issued certificates were created for MI6, while organisations including Google, Facebook, Twitter, Skype and the Tor project itself were also targeted. In all, 531 organisations were affected, Jacob Appelbaum, one of the core Tor project developers, said in the blog post.

"The most egregious certs issued were for *.*.com and *.*.org while certificates for Windows Update and certificates for other hosts are of limited harm by comparison," Appelbaum said.

Microsoft said on Sunday that Windows Update users were not at risk of exploitation from the windowsupdate.com certificate, as the domain was no longer in use.

The attack appeared to have been used to spy on Iranian web users on a grand scale, security company Trend Micro said in a blog post on Monday, particularly those using Gmail.

"We found that internet users in more than 40 different networks of ISPs and universities in Iran were confronted with rogue SSL certificates issued by DigiNotar," Trend Micro senior threat researcher Feike Hacquebord said in the blog post. "Even worse: we found evidence that some Iranians who used software designed to circumvent censorship and snooping on traffic were not protected against the massive man-in-the-middle attack."

Trend Micro analysed customer traffic, and found that the SSL validation site validation.diginotar.nl was "mostly loaded by Dutch and Iranian Internet users until August 30, 2011", when the false certificates were publicised. In addition, Iranians using anti-censorship technology from an unnamed Californian organisation that relies on proxy nodes were not protected, said Hacquebord.

Revoked trust

The Dutch government has revoked trust in DigiNotar certificates, a government technician told ZDNet UK on Monday.

The Dutch government used to recognise two types of DigiNotar certificates until Saturday — general certificates issued to business, and certificates the government used in its own public key infrastructure (PKI) called 'PKIoverheid'. The technician advised people to be careful of using the Dutch government PKI until the government transfers to a different PKI provider.

"It's not safe to use [the PKI]," said the technician. "You need to be careful of government sites with a yellow lock in the URL bar, especially if the sites say they will transfer you to another website."

The Dutch Computer Emergency Response Team (Cert) said that an audit by security company Fox-IT on Friday had found out that 'PKI overheid' could no longer be trusted (Dutch).

The Dutch minister of internal affairs announced the government was revoking DigiNotar certificates at 1.15am on Saturday morning, according to security company Kaspersky, which said the compromise could be more important than Stuxnet.

"The Dutch government is launching a formal investigation to find out if the Iranian government was behind the attack," said Kaspersky Lab security expert Roel Schouwenberg.

Mozilla developer Gervase Markham said that the Fox-IT report should be ready for release soon, and that Iranian users should update their Firefox browsers, in a blog post on Monday.

The Dutch government announced it had taken over operational management of DigiNotar certificates in a release on Monday.

Get the latest technology news and analysis, blogs and reviews
delivered directly to your inbox with ZDNet UK's
newsletters.